Presentation is loading. Please wait.

Presentation is loading. Please wait.

Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC.

Published byTodd Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC."— Presentation transcript:

1 Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC Michael L. Shaw Senior Manager

2 PricewaterhouseCoopers LLP 2 Overview  Corporate Compliance Programs Defined  Enterprise-Wide Risk Management Defined  Key Differences  How Your Organization Can Benefit From Enterprise- Wide Risk Management  Applying EWRM to Satisfy Sarbanes-Oxley Requirement  A Suggested Approach for Implementing EWRM

3 PricewaterhouseCoopers LLP 3 Compliance Defined A compliance program is a management process comprised of formal reporting structures and risk mitigation systems designed to motivate, measure, and monitor an organization’s legal and ethical performance around complex business practices.

4 PricewaterhouseCoopers LLP 4 Elements of a Traditional Compliance Program  Federal Sentencing Guidelines  Experience from other industry sectors  OIG Compliance Program Guidance Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

5 PricewaterhouseCoopers LLP 5 Elements of a Traditional Compliance Program  Code of Conduct  Commitment by senior management  Distribution to applicable employees and contractors  Updating to address new risks  Values approach  Records retention Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

6 PricewaterhouseCoopers LLP 6 Elements of a Traditional Compliance Program  High-level involvement  Responsibility for developing, operating, and monitoring the compliance program  Direct access to Board and/or CEO  Updates to Board and/or CEO  Operational Committee Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

7 PricewaterhouseCoopers LLP 7 Elements of a Traditional Compliance Program  General and specific training sessions on a periodic basis  Cover commitment, reinforce policies and procedures, and address risks  Conducted for applicable employees and contractors  Documentation of training efforts Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

8 PricewaterhouseCoopers LLP 8 Elements of a Traditional Compliance Program Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention  Hotlines  Exit interviews  Periodic surveys  Supervisor accountability  Documentation of issues identified and resolved  Periodic reports on issues handled  Non-retaliation policy

9 PricewaterhouseCoopers LLP 9 Elements of a Traditional Compliance Program Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention  Internal or external evaluators to perform regular reviews  Focus on high-risk areas  Validation of policies and procedures  Qualifications of reviewers  Corrective action in response to audit results  Monitoring and reporting of audit efforts

10 PricewaterhouseCoopers LLP 10 Elements of a Traditional Compliance Program Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention  Consequences of violating the law, the Code of Conduct, or policies and procedures  Violations reviewed and resolved on a case-by-case basis  Consistent disciplinary action  Confidentiality  Periodic reports of action taken

11 PricewaterhouseCoopers LLP 11 Elements of a Traditional Compliance Program Standards and Procedures Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention  Prompt investigations of reasonable allegations of suspected noncompliance  Decisive steps to correct problems identified  Reporting to Government when appropriate under the advice of legal counsel

12 PricewaterhouseCoopers LLP 12 Notable Quote “I think the guidelines may need to say something more about the need to have ongoing auditing and testing of a compliance program on paper to ensure that it is effective in practice.” - U.S. Sentencing Commission Vice Chair, John R. Steer

13 PricewaterhouseCoopers LLP 13 EWRM Explained  Increasingly, best in class organizations are embedding their compliance programs into an expanded view of enterprise wide risk management (EWRM). Approached in this way, compliance transitions from a reactive, process intensive activity to a dynamic program enabling the organization to manage a broad range of changes that can impact its performance.  EWRM defines risks as events or activities that can affect the achievement of an organization’s goals.  EWRM addresses all organizational goals, objectives and relationships with key stakeholders.  EWRM is an anticipatory, proactive process that becomes a key part of strategy and planning. EWRM helps mitigate surprises and ensures all organizations are aligned with key objectives

14 PricewaterhouseCoopers LLP 14 EWRM Explained  Pulling together the disciplines that address both sides of risk --minimizing uncertainty and maximizing opportunities -- the concept pushes an organization to address risks and their management explicitly – as part of everyday business.  An EWRM framework emphasizes the need for processes to (1) identify risk, (2) assess risk and (3) manage risk.  EWRM can be implemented at any level of the organization in whole or in part (i.e. business unit, functional process, geography).  A robust compliance program is the cornerstone of managing risk across the organization.

15 PricewaterhouseCoopers LLP 15 EWRM Explained Reactive Proactive Strategic Building in an Enterprise Wide Risk Management program: Current best practice Pulling together the disciplines that address both sides of risk – minimizing uncertainty and maximizing opportunities – the concept pushes an organization to address risks and their management explicitly – as part of everyday business Most Organization’s Today? Risk & Compliance external reporting Strategy Building Enterprise Risk Assessment Control Self Assessment Enterprise Wide Risk Management Program Complying with known laws and regulations Seeking to meet industry compliance requirements Managing crisis

16 PricewaterhouseCoopers LLP 16 Applying EWRM to Satisfy Sarbanes-Oxley Requirements Internal Accounting Controls Disclosure Requirements Financial Reporting Compliance Operations Internal Controls Over Financial Reporting Disclosure Controls and Procedures Other aspects of Compliance and Operations pertaining to DC&P LEGEND

17 PricewaterhouseCoopers LLP 17 Operationalizing the Control Structure

18 PricewaterhouseCoopers LLP 18  COSO defines internal controls as a process effected by an entity’s Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding achievement of the objectives in each of the following categories:  Effectiveness & Efficiency of Operations  Reliability of Financial Reporting  Compliance with Applicable Laws and Regulations 5 EWRM is Supported by the COSO Framework

19 PricewaterhouseCoopers LLP 19 Control Activities Policies/procedures that ensure management directives are carried out. Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring Assessment of a control system’s performance over time. Combination of ongoing and separate evaluation. Management and supervisory activities. Internal audit activities. Control Environment Sets tone of organization-influencing control consciousness of its people. Factors include integrity, ethical values, competence, authority, responsibility. Foundation for all other components of control. Information and Communication Pertinent information identified, captured and communicated in a timely manner. Access to internally and externally generated information. Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities. All five components must be in place for a control to be effective. 6 EWRM is Supported by the COSO Framework

20 PricewaterhouseCoopers LLP 20 Critical Steps of EWRM Management determines whether the company accepts, rejects, mitigates or transfers individual or classes of risks. Functional teams strive to identify risks “before they occur or in time” to mitigate the impact of the risk. They communicate their views to a risk facilitator on a timely basis. Issue resolution process is in place. Proactive identification of events or conditions that could compromise business objectives are categorized by franchise and functional areas. Accountability is assigned to each risk. Guidance and training should be provided to franchise and functional leaders and teams on what is meant when we speak of risk, impact, internal control, etc.; development of communication plan and supporting infrastructure. Creating a Risk Aware Culture 1 Identify Risk 2 Assess Risk 3 Manage Risk 4 Evaluation of risk allowing for prioritization of resources.

21 PricewaterhouseCoopers LLP 21 Getting Started: A Suggested Approach  Assess your organization’s current techniques, tools and approaches for evaluating risk across the organization and consider appropriate level of opportunity  High level view at an enterprise level, or  Detailed level view at Business Unit level  Conduct a gap analysis of current risk management practices against leading practice models, identifying existing internal best practices and potential opportunities for improvement  Develop recommendations for developing an enterprise-wide risk management framework specific to your organization including an execution plan to not only identify but mitigate them with controls

22 PricewaterhouseCoopers LLP 22 Getting Started: A Suggested Approach  Once the assessment is complete, design and implement an Enterprise- wide risk management program for your organization  Facilitate decision making and monitor program effectiveness  Functional management will take the lead, with counsel from the risk management facilitator to identify, assess and decide how they will mitigate risks Appoint a Risk Management Facilitator This is a leading practice Develop and articulate the risk strategy Develop tools to identify risk (leverage existing initiatives) Develop a methodology to identify and prioritize risk Appoint a Risk Management Facilitator This is a leading practice Develop and articulate the risk strategy Develop tools to identify risk (leverage existing initiatives) Develop a methodology to identify and prioritize risk Create a Template to Capture Risk Profile including: Nature of the risk Busine ss impact Proba bility of occurr ence Expos ure to the compa ny Contro ls that exist to mitigat e the risks Gaps, if any Create a Template to Capture Risk Profile including: Nature of the risk Busine ss impact Proba bility of occurr ence Expos ure to the compa ny Contro ls that exist to mitigat e the risks Gaps, if any Evaluate and Report Cons olidat ed risks to senio r mana geme nt Inclu ding supp orting mana geme nt’s asser tion under Secti on 404 Ensur e acco untab ility for identi fied gaps within functi onal mana geme nt Evaluate and Report Cons olidat ed risks to senio r mana geme nt Inclu ding supp orting mana geme nt’s asser tion under Secti on 404 Ensur e acco untab ility for identi fied gaps within functi onal mana geme nt

23 PricewaterhouseCoopers LLP 23 Getting Started: A Suggested Approach  For rating the Potential Impact of a risk, the impact on financial, operational and/or legal implications can be considered as well as the ability to achieve the stated objective in the face of that risk. Respondents can apply a rating corresponding to the level of impact of the risk, as follows:  Low - if the impact of the risk would have some financial, operational and/or legal implications and require attention, but is no greater than an irritant to the organization  Medium - if the impact of the risk would have significant financial, operational and/or legal implications, and/or would significantly delay the ability to achieve the objectives or otherwise affect it  High - if the impact of the risk would have major financial, operational and/or legal implications and/or it is so significant one would need to abandon the objectives

24 PricewaterhouseCoopers LLP 24 Getting Started: A Suggested Approach  For rating the Probability risks, the frequency of historical events can be considered as well as current outlook. Respondents can apply the rating corresponding to the probability of occurrence of the risk, as follows:  Low - if the likelihood of this risk occurring is unlikely  Medium - if the likelihood of occurrence is somewhat likely  High - if the likelihood of occurrence is very likely  Responsible parties should be identified  External environment should be considered

25 PricewaterhouseCoopers LLP 25 Getting Started: A Suggested Approach  For all risks with a high composite rating, respondents can identify “Primary Exposure” to indicate the direct exposure facing an organization using categories such as:  Government Enforcement  Regulatory Violation  Financial Loss  Reputational Damage  Failure to comply with internal policy  Inefficiencies and/or excessive costs  Inappropriate financial reporting or disclosure  Legal Risk

26 PricewaterhouseCoopers LLP 26 Getting Started: A Suggested Approach  In addition, for all risks with a high composite rating, existing control mechanisms should be considered. An organization’s management should apply a rating corresponding to the level of control, such as the following:  Policies and procedures exist and are tested as part of external or internal audits, and/or monitoring controls are in place  Policies and procedures exist  Policies and procedures are in the early stages of development  Policies and procedures do not exist

27 PricewaterhouseCoopers LLP 27 Case Example: A Pharmaceutical Company Functional Areas# of Risks Identified# of “High” Risks Identified # of “High” Risks Identified w/Limited Controls in Place Sales & Marketing22148 R&D15122 Manufacturing4551 Regulatory Affairs2661 Financial Reporting1580 HR45122 IT862 International1682 Total

28 PricewaterhouseCoopers LLP 28 Benefits of EWRM  Enhanced decision making process  Prevention, detection and resolution of improper behavior, including “early warning system”  Improved effectiveness of compliance across organization  Integrated approach to risk, yielding increased efficiencies and reduced costs  Mitigated impact of risk issues on the business, both offensively and defensively  Increased internal customer satisfaction

29 PricewaterhouseCoopers LLP 29 In Summary, EWRM provides  An integrated, dynamic display of business objectives, key risks, and controls that are aligned with supporting policies, procedures, and operating principles  A robust, flexible structure that can deal systematically with both external and internal changes affecting the company  An aligned and supportive infrastructure that facilitates early identification of new risks, communication, training, incident identification, issues management, and internal and external reporting  A gap analysis in connection with Sections 302 and 404 of Sarbanes-Oxley

30 PricewaterhouseCoopers LLP 30 For More Information Contact: Michael L. Shaw Senior Manager PricewaterhouseCoopers 1300 K Street, N.W. – Suite 800 Washington, D.C. 20005 (202) 414-1552 michael.l.shaw@us.pwcglobal.com

Download ppt "Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC."

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
PwC Corporate Compliance vs. Enterprise-Wide Risk Management Brent Saunders, Partner (973) 236-4682 November 2002.

PwC Corporate Compliance vs. Enterprise-Wide Risk Management Brent Saunders, Partner (973) November 2002.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.

Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Supplier Ethics: Program Checklist

Supplier Ethics: Program Checklist
Board responsibility for internal control and risk management by Kiattisak Jelatianranat Chairman, The Institute of Internal Auditors of Thailand Director,

Board responsibility for internal control and risk management by Kiattisak Jelatianranat Chairman, The Institute of Internal Auditors of Thailand Director,
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Corporate Ethics Compliance *

Corporate Ethics Compliance *

Similar presentations

Ads by Google